Parallel Symbolic Execution for Structural Test Generation
一.文章的主要思想:利用前置条件(pre-conditions)集合划分符号执行树,从而有效地把符号执行分布到多个进程或处理器上,以减低遍历符号执行数的时间。前置条件用首先执行一个"shallow"符号执行来得到,他通过执行用户的代码搜集大量的路径约束,这些路径约束被处理以产生被前置条件用到的约束列表。这个技术就叫做Simple Static Partitioning(SSP)。
二.划分符号以并行执行:
思路:首先,产生一个约束队列;其次,把这些约束分配给workes.
RDFS:Random depth first search,performs depth first search hile randomly selecting the order branches in the tree are explored.
(1).Simple Static Partitioning (SSP)
要求约束集是disjoint and complete。对于约束集中的任何两个约束A与B,如果A ^ B是false,我们就说该约束集是disjoint的。如果约束集中的所有约束的析取为真,那么每一个可能的的路径会至少被符号执行的一个实例遍历到,我们说该约束集是complete的。如果一个约束会影响符号的执行,那么我们说该约束是有用的。
SSP with inputs depth D and suggested queue size SQS:
1. Perform shallow execution, collecting all PCs at depth D.
2. Split each PC into individual constraints and count the frequency of each constraint. Place every constraint in a set IndCons along with its frequency.
3. Count the frequency of each symbolic variable in IndCons. Place every variable in a set AvailableVars along with its frequency.
4. Using IndCons, label symbolic variables as “expensive” or “cheap”, where “cheap” variables are used only in constraints that are “cheap”.
Constraints are “expensive” if they use multiplication and/or division,
and “cheap”otherwise.
5. Create an empty set GeneratedConstraints, containing sets of constraints generated by SSP. The product of the size of each set of constraints represents the number of constraints we can generate (we term this numGeneratable).
6. While numGeneratable < SQS:
(a) Choose the cheap variable V with the highest frequency from AvailableVars. If no cheap variable is in AvailableVars, choose the expensive variable V with the highest frequency.
(b) If V (1) is only referenced in equality constraints, (2) a symbolic integer and (3) the range of V is no more than twice the number of equalities using V in IndCons, then: Add {All constraints referencing V} to GeneratedConstraints else:
C = Most common constraint referencing V in C Add {C, ¬C} to GeneratedConstraints (c) Remove every variable referenced in GeneratedConstraints from AvailableVars.
7. Generate every combination of constraints using the sets in GeneratedConstraints (i.e, Cartesian product of GeneratedConstraints). Each combination represents a conjunction of constraints. Order the conjunctions (process described under Constraint Queue) to create
ConstraintQueue.
核心思想:
通常常用的变量极有可能被用来划分状太空间;当遇到乘法和除法的时候,constraint solvers的性能会急剧下降,所以要避免这样的约束;如果V只取小范围有限的值,那么就运用所有关于V的约束,而不是之选一个。
实例:
[1] int r;
[2] while (true) {
[3] boolean b = Debug.getSymbolicBoolean("b");
[4] int x = Debug.getSymbolicInteger("x");
[5] int y = Debug.getSymbolicInteger("y");
[6]
[7] if (b) {
[8] Debug.storeTraceIf(x>y, "ob1");
[9] if (x > y)
[10] r = x;
[11] else
[12] r = y;
[13] }
[14] }
第一步,利用此例来运行SSP,depth=3,SQS=4。执行过程如下:
Step 1: Collected PCs = {b ^ x > y, b ^ x <= y, ¬b ^ b2, ¬b ^ ¬b2 }
Step 2: IndCons = {(b, 2), (¬b, 2), (x > y, 1), (x <= y, 1), (b2, 1),(¬b2, 1) }
Step 3: AvailableVars= {(b, 4), (x, 2), (y, 2), (b2, 2) }
Step 6b: GeneratedConstraints (1st iteration) = {{b, ¬b}}
Step 6c: AvailableVars (1st iteration) = { (x, 2), (y, 2), (b2, 2)}
Step 6b: GeneratedConstraints (2nd iteration) = {{b, ¬b}, {x > y,x <= y} }
Step 6c: AvailableVars (2nd iteration) = { (b2, 2)}
Step 7: ConstraintQueue = {b^x > y, ¬b^x > y, b^x <= y, ¬b^x <= y}
产生了ConstraintQueue ,并对它进行排序。
第二步,分部并利用Constraints
ConstraintQueue转换为worker configurations,每一个worker configurations包含一个用来遍历子树的约束。当一个worker configurations被一个worker取回时,它所包含的约束被当做initial precondition。当initial precondition(x<=y)被运用时,具体操作如下图所示:
由于初始约束条件是(x<=y),所以sym x> sym y的那个分支未被遍历,如图2(a)。当另一个worker用(x>y) 作为初始约束条件时,树的另一部分会被遍历到。
第三步:Selective Concretization。
当我们以形式var == value使用 constraints 时,就叫做 selective concretization.In this technique, one or more variables normally assigned symbolic values are instead assigned a single concrete value. While functionally equivalent to directly using the constraint, replacing a symbolic variable with a single concrete value reduces the size of path constraints, potentially improving the performance of the constraint solver.
When the constraint used is b == true,and the variable b is concretized as true. This example is shown as figure 2(b).
However,this method presents problems: namely, unless we wish to create a very large number of partitions (> 1000), we must collect
PCs from a very shallow depth, thus partitioning using very limited information.This article desires a method of transforming a large set of PCs into a smaller set of partitions. SSP represents such a method.
三.PARALLEL JPF FRAMEWORK
1.Parallel JPF Instances
用户首先启动server-JPF manager,并为JPF manager提供parallel configuration。然后用户启动一个或多个客户端,它们直接连接到JPF manager。parallel configuration描述了JPF的实例如何被配置,它可以描述被所有并行实例都利用的global configuration,也可以描述单个worker使用的individual configuration,也被叫做worker configurations.These worker configurations are placed in a queue, and sent to clients upon request. Each client, upon receiving an worker configuration,creates and starts a JPF instance using the configuration.Upon termination of the JPF instance, the client will request a new worker configuration; if the queue is exhausted, the client exits.
2.Communication betweenWorkers
Remote listeners are specified in the worker configurations,and are registered with the worker’s JPF instance. Remote listener managers are specified in the parallel configuration given to the JPF manager, and are created and maintained by the JPF manager.Once created, remote listener managers generate and append configuration information for one or more remote listeners for each worker configuration, and communicate with these remote listeners during execution. Thus remote listener managers and remote listeners are associated in a one to many relationship– each remote listener manager communicates with every remote listener instance it configures. Communication between a remote
listener and a remote listener manager is bidirectional – the listener can send information to the remote listener manager, and the remote istener manager can send information in response.
3.Parallel Search
The simplest method is to implement a configurable JPF listener or heuristic. Running the parallel search technique is then done by running the same listener or heuristic, configured differently, on each worker. For example,to implement parallel RDFS, we implemented a JPF listener configurable with a “random seed” parameter to perform RDFS. To run parallel RDFS, we use a configuration globally specifying that workers should use RDFS and explore the same program, but that each worker should use a different seed. We use a remote listener to collect the results produced by each worker.
A different method would be to implement the technique as a remote listener, using the remote listener manager’s ability to generate configuration info. For example,SSP is implemented in this fashion; the remote listener manager runs the partitioning heuristic, and uses the resulting constraints to generate configuration info. Note that parallel search techniques that require communication during JPF’s execution must be implemented using a remote listener.
4.Example Remote Listener
Consider Figure 4 illustrating a remote listener we use for monitoring MC/DC test generation.
